Transcript Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser and R Using slides by Boaz.

Private Programs:
Obfuscation, a survey
Guy Rothblum
Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang
Lynn, Prabhakaran and Sahai
Goldwasser and R
Using slides by Boaz Barak, Yael Kalai
Program Obfuscation 101
Obfuscate [verb]
“to make obscure or unclear”
Obfuscator
A compiler that takes programs and makes them
difficult to understand.
Code Obfuscation: what is it?
• To intentionally make a program unintelligible, while
preserving its functionality.
P
Obf
Obf(P)
• Goal: Change program so still has same I/O
behavior but is impossible to understand
for (i=0; i < M.length; i++) {
// Adjust position of clock hands
var ML=(ns)?document.layers['nsMinutes'+i]:ieMinutes[i].style;
ML.top=y[i]+HandY+(i*HandHeight)*Math.sin(min)+scrll;
ML.left=x[i]+HandX+(i*HandWidth)*Math.cos(min);
}
obfuscator
for(O79=0;O79<l6x.length;O79++){var O63=(l70)?document.layers
["nsM\151\156u\164\145s"+O79]:ieMinutes[O79].style;
O63.top=l61[O79]+O76+(O79*O75)*Math.sin(O51)+l73;
O63.left=l75[O79]+l77+(O79*l76)*Math.cos(O51);}
Why Obfuscate?
For Software Protection
Software vendors want to prevent users from
reverse-engineering executable code.
No good solution known.
For Cryptography
Many applications: fully homomorphic encryption,
private to public key crypto, etc.
Obfuscation in Real World
SafeDisc
Advanced
• Copy protection/Licensing
if (test fails) then exit
else …
• Spam
– conceal code that spawns pop-ups
• Software watermarking
• Prevent reverse engineering
– By competitors
– By hackers (e.g., for games)
Off the Shelf Obfuscators
Why Obfuscate?
For Software Protection
Software vendors want to prevent users from
reverse-engineering executable code.
No good solution known.
For Cryptography
Many applications: fully homomorphic encryption,
private to public key crypto, etc.
Obfuscation: Cryptographer’s Dream
– Cryptographic delegation: signature delegation
(SK,PK)
Alice’s secret key
and public key
m
SIGSK
can be verified
given PK
Obfuscation: Cryptographer’s Dream
– Cryptographic delegation: signature delegation
Want to allow
Bob to sign
msgs on Oct05
Obf(SIG
SKSK
)
Oct07
(SK,PK)
– Transform any secret key cryptographic primitive into a public key
one
– Compute on encrypted data
– Solve access control problems
Many cryptographic tasks could be achieved securely by writing
a simple program and then obfuscating it (if possible!).
Black-Box Obfuscation:
Informal Definition [BGI+01]
P
Obf
Obf(P)
Obf(P) is essentially
equivalent to a black box
.P
Defining Obfuscation
[BGIRSVY] Obfuscated program should be
“as secure as” black-box access.
Obfuscator O runs on programs*, must satisfy:
1. Preserves functionality
2. Polynomial slow-down
3. Virtual black-box
*Turing Machines, Circuits
Defining Obfuscation
An algorithm O is an obfuscator if for any program P:
• (functionality) O(P) ~ P (i.e., O(P) computes
the same function as P)
• (polynomial slowdown)
running time of O(P)  p(running time of P)
for some polynomial p( ).
We say that O is efficient if it runs in polynomial time.
Predicate Virtual Black-Box [BGIRSVY]:
For any poly learner L, exists poly simulator S,
s.t. for every (poly time) program P:
Pr[L(O(P)) = 1] ≈ Pr[SP(1|P|)=1]
O(P)
P
x
Learner
0/1
≈
P(x)
Simulator
0/1
Previous Work
[Hada] implications of strong obfuscators
Strong Negative Results
[BGIRSVY] exist Turing Machines, circuits that cannot be
obfuscated
[GK] under stronger definition, many natural circuits cannot
be obfuscated
Limited Positive Results
Obfuscating “point functions” [C,LPS,W,CMR,DS]
Obfuscating using random oracle [LPS]
Unfortunately…
General-purpose obfuscation is IMPOSSIBLE
Proof for Turing Machines:
Cα,β(x) = β if x=α, 0 otherwise
Dα,β(C) = 1 if C(α)=β, 0 otherwise
Intuition:
Given Cα,β , Dα’,β’ “know” output Dα’,β’(Cα,β)
Given black-box access to Cα,β , Dα’,β’
“don’t know” what Dα’,β’(Cα,β) outputs!
“Proof”
Cα,β(x) = β if x=α, 0 otherwise
Dα,β(C) = 1 if C(α)=β, 0 otherwise
Fα,β(b,y) =
Cα,β(y) if b=0
Dα,β(y) if b=1
Zα,β(b,y) =
0 if b=0
Dα,β(y) if b=1
From black-box access, Fα,β, Zα,β look the same
From non black-box access:
O(Fα,β)(1, O(Fα,β(0,·))) = 1
O(Zα,β)(1, O(Zα,β(0,·))) = 0
What to Do?
Look at more specific programs
Point Functions
Relax the Definition
No more black box!
Obfuscating Point Functions
Point or “password” function family:
Ip(x)=
1
0
if x=p
otherwise
Useful e.g. for access control, storing passwords
Restricted family of functions\programs
Tool: Random Oracle
Say we have access to a truly random function
Random Oracle
R:{0,1}n -> {0,1}n
Only way to learn output is querying oracle on input
In general, model is useful (e.g. [FS])
but problematic [CGH,DNRS,GK]
Obfuscating Point Functions
Obfuscated Program(Ip):
[LPS]
Store R(p) (in the clear)
on input x, if R(x)=R(p) output 1
otherwise output 0
Obfuscated b\c of random oracle
Get similar results from (strong) assumptions [C,W]
Note obfuscator works only for very simple point
function programs [M]
What to Do?
Look at more specific programs
Point Functions
Relax the Definition
No more black box!
Relaxed Definition
Compare obfuscated program with black box?
“Apples and oranges”. Program is not black box.
Relax requirement:
Compare obfuscated program with other programs,
we want obfuscation that is “more secure” than any
other program!
Best possible obfuscation.
Best Possible Obfuscation [GR]:
For every poly learner L, exists poly simulator S s.t. for
every circuit C1, for every equivalent C2 (|C1| = |C2|)
distributions L(O(C1)) and S(C2) indistinguishable.
O(C1)
Computational
Statistical
Perfect
Learner
Output
0/1
≈
CC2
x
C(x)
Simulator
Output
0/1
Meaningful Guarantee?
Guarantee from definition:
Anything that can be learned from O(C) can be
learned from any equivalent circuit of same size as
C. O(C) is “more secure” than all these circuits.
Obfuscator has to output some circuit equivalent to C,
definition guarantees the output is best possible.
Indistinguishability Obfuscators
[BGIRSVY] Indistinguishability Obfuscator
Obfuscations of equivalent circuits of the
same size should be computationally
indistinguishable.
Definitions equivalent for efficient obfuscation
(but not for inefficient obfuscation).
Best-Possible Obfuscation Results
Best possible vs. black box obfuscation
– Black-box implies best-possible.
– A “natural” obfuscation task can be achieved under bestpossible but not under black-box definition.
Unconditionally (statistically) best-possible
– If P=NP can best-possible obfuscate all circuits.
– Unconditionally best possible obfuscation for AC0
implies PH collapses to second level.
Obfuscation and Random Oracles
– Can use random-oracle to build (simple, natural) circuits
that cannot be best-possible obfuscated.
Best Possible
vs.
Black-Box Obfuscation
Best-Possible vs. Black-Box
Claim: black-box obfuscator → best-possible obfuscator
Proof Intuition:
Suppose obfuscator not best-possible:
Obfuscations of equivalent C1 and C2 are distinguishable
from non-black-box access,
but circuits indistinguishable from black-box access!
Predicate Adversary
“guesses” whether obfuscation is of C1 or C2.
Obfuscator is not black-box!
Restriction:
Best-Possible
vs. Black-Box (2)
Require
that obfuscator
complexity
OBDDs:
log-space
programs maintains
with read-once
left-toof obfuscated
right measures
access to their
input tape.program.
Interesting both for positive and negative results.
Claim: Can efficiently best-possible* obfuscate OBDDs as
OBDDs.
Proof: OBDDs have efficiently computable canonical
representation [Bryant].
Claim: OBDDs cannot be black-box obfuscated as OBDDs.
Proof: Extract non black-box information from canonical
representation.
Statistically Best-Possible
Obfuscation
If P=NP…
Can perfectly best-possible obfuscate any circuit!
Obfuscator: output the lexicographically first smallest
equivalent circuit (efficient if P=NP).
Simulator: also output the lexicographically first
smallest equivalent circuit (efficient if P=NP).
PERFECTLY best-possible obfuscation.
Statistically Best-Possible?
Goal: unconditionally best-possible obfuscation?
Approaches:
Techniques from secure multi-party computation,
“Randomizing” circuits,
Focusing on low complexity classes.
Statistically Best-Possible → PH Collapse
Theorem:
If CNF circuits can be statistically best-possible
obfuscated (even inefficiently),
then polynomial hierarchy collapses.
Stat. Best-Possible → PH Collapse (2)
Suppose O is statistically best possible obfuscator.
Idea:
Use O to get AM protocol for Co-NP complete
language. Collapses poly hierarchy [F,AH,BHZ].
Co-NP complete language L:
circuit-equivalence, (C1,C2) in L iff C1 ≡ C2
Stat. Best-Possible → PH Collapse (3)
On input (C1,C2) use distributions S(C1),S(C2)
If (C1,C2) not equivalent:
O(C1), O(C2) disjoint by preserving functionality
so S(C1), S(C2) stat.-far by best-possible property
If (C1,C2) equivalent:
O(C1), S(C1) stat.-close by best-possible property
O(C1), S(C2) stat.-close by best-possible property
conclude S(C1),S(C2) also stat. close
Reduced circuit equivalence to statistical distance,
a problem in AM [SV].
Random Oracles
and
Obfuscation
Random Oracles and Obfuscation
[LPS] use random oracles to help obfuscation.
If one could realize random oracles, would this
necessarily help obfuscation?
Not necessarily: can also use random oracles to build
un-obfuscatable circuits!
Random Oracles and Obfuscation
Theorem:
There exists a simple family of circuits implementing
point function functionalities that cannot be bestpossible obfuscated.
Circuits in the family make oracle calls.
Does not rule out that every (non-oracle) circuit can be
best-possible obfuscated.
Unobfuscatable Circuit Cp,M for Ip
Any Circuit computed fromΛCp,M and preserving
functionality must call oracle on x|M.
non=black-box
info
on M!=
pExposes
R(p
|[n]\M
|M)
R
M x 1 x2 x3 x4 x5
. . .
For a point p{0,1}n , choose subset M  [n]
xn
Conclusions and Open Problems
Black-Box Obfuscation
More natural impossibility results [GK]
More Positive Results [HRsV]
Constant-depth circuits?
New Best-Possible Obfuscators
Current positive results have flavor of “finding canonical
representations”.
Goal: more examples of best-possible obfuscation.
Think outside the (black) box
Hardness Results?
Best-possible obfuscation hardness results likely to be
different from black-box results.
THE END
Thank You